Is there a way to set Permissions based on user roles by using some
configuration file for my application ?
I'm coming from a Java background, where that could very easily be
accomplished but although I've searched around MSDN I can't find a clear
answer to this ...
Thanks a lot guys,
Angel
O:] 12 2590
Asp.net security is based on iis.
In IIS you can define users, groups etc, and then in your web.config file
you can enable "windows security" or manually enable/disable access for
certain groups.
if you want the entire asp.net app to run under another account than the
standard asp.net wp you can use impersonation.
Try some searches on msdn, they have excellent articles on all these subjects
yours
Henrik
"Angelos Karantzalis" wrote: Is there a way to set Permissions based on user roles by using some configuration file for my application ?
I'm coming from a Java background, where that could very easily be accomplished but although I've searched around MSDN I can't find a clear answer to this ...
Thanks a lot guys,
Angel O:]
What I want to get at is having CodeAccess permissions, based on the role of
my user. Not only on ASP.NET though, and definitely by using custom
IPrincipal implementations . I don't want just to restrict accesss to some
url pattern based on the current user :(
Thanks though,
Angel
O:]
"Henrik Nordgren" <He************ @discussions.mi crosoft.com> wrote in
message news:CD******** *************** ***********@mic rosoft.com... Asp.net security is based on iis.
In IIS you can define users, groups etc, and then in your web.config file you can enable "windows security" or manually enable/disable access for certain groups.
if you want the entire asp.net app to run under another account than the standard asp.net wp you can use impersonation.
Try some searches on msdn, they have excellent articles on all these
subjects yours Henrik
"Angelos Karantzalis" wrote:
Is there a way to set Permissions based on user roles by using some configuration file for my application ?
I'm coming from a Java background, where that could very easily be accomplished but although I've searched around MSDN I can't find a clear answer to this ...
Thanks a lot guys,
Angel O:]
Well, that was a very informative set of links there, but still, what I need
to do is ( or should ) be very simple.
I've already got my custom GenericPrincipa l subclasses, that get assigned
roles from my application.
What I need to do now is this. Inside the code of some business objects, I
want to be checking (demanding) a certain permission - NOT a
PrincipalPermis sion though. I don't want the class having to know the
users/groups that can use it, and I don't want the class to have to read
some external configuration file itself, to ask for the right
PrincipalPermis sion.
I want to learn how the system assigns permissions to users/groups in
general, and whether I can customize that in some sort of declerative
manner, just like I can do in Java using policy files.
Now, that shouldn't be too hard, and it should be available as .NET
functionality. But where ???
Angel
O:]
"UAError" <nu**@null.null > wrote in message
news:33******** *************** *********@4ax.c om... "Angelos Karantzalis" <ak**********@a giltech.gr> wrote:
What I want to get at is having CodeAccess permissions, based on the role
ofmy user. Not only on ASP.NET though, and definitely by using custom IPrincipal implementations . I don't want just to restrict accesss to some url pattern based on the current user :(
Thanks though, Angel O:] Code Access Security (CAS) and Role-Based Security (RBS) are totally independent concepts.
CAS is concerned with the identity and origin of the code and further restricts any permissions that the Windows User/Account may already have.
RBS is concerned with the user of your application - it may coincide with the Windows User and his/her membership in Windows Groups (i.e. roles), but RBS can also be independent of Windows Security total, centered on your software.
Designing Application-Managed Authorization http://msdn.microsoft.com/library/de...us/dnbda/html/
DAMAZ.asp NET Framework Developer's Guide Introduction to Role-Based Security http://msdn.microsoft.com/library/de...us/cpguide/htm
l/cpconintroducti ontorole-basedsecurity.a sp .NET Framework Developer's Guide Principal and Identity Objects http://msdn.microsoft.com/library/de...us/cpguide/htm
l/cpconprincipali dentityobjects. asp
To (re)use Windows Users and Groups use WindowsIdentity and WindowsPrincipa l.
NET Framework Developer's Guide Creating WindowsIdentity and WindowsPrincipa l Objects http://msdn.microsoft.com/library/de...us/cpguide/htm
l/cpconCreatingWi ndowsIdentityWi ndowsPrincipalO bjects.asp NET Framework Class Library WindowsIdentity Class http://msdn.microsoft.com/library/de...us/cpref/html/
frlrfsystemsecu rityprincipalwi ndowsidentitycl asstopic.asp .NET Framework Class Library WindowsPrincipa l Class http://msdn.microsoft.com/library/de...us/cpref/html/
frlrfSystemSecu rityPrincipalWi ndowsPrincipalC lassTopic.asp
To implement your own "basic" RBS use GenericIdentity and GenericPrincipa l.
.NET Framework Developer's Guide Creating GenericPrincipa l and GenericIdentity Objects http://msdn.microsoft.com/library/de...us/cpguide/htm
l/cpconCreatingWi ndowsIdentityWi ndowsPrincipalO bjects.asp .NET Framework Class Library GenericIdentity Class http://msdn.microsoft.com/library/de...us/cpref/html/
frlrfSystemSecu rityPrincipalGe nericIdentityCl assTopic.asp .NET Framework Class Library GenericPrincipa l Class http://msdn.microsoft.com/library/de...us/cpref/html/
frlrfSystemSecu rityPrincipalGe nericPrincipalC lassTopic.asp
If you need a more sophisticated RBS, e.g. your roles imply a certain trust heirarchy, then you need to implement some custom classes implementing the IIdentity and IPrincipal inferfaces.
.NET Framework Class Library IIdentity Interface http://msdn.microsoft.com/library/de...us/cpref/html/
frlrfSystemSecu rityPrincipalII dentityClassTop ic.asp NET Framework Class Library IPrincipal Interface http://msdn.microsoft.com/library/de...us/cpref/html/
frlrfSystemSecu rityPrincipalIP rincipalClassTo pic.asp
For an overview of CAS
.NET Framework Developer's Guide Code Access Security http://msdn.microsoft.com/library/de...us/cpguide/htm
l/cpconcodeaccess security.asp
"Angelos Karantzalis" <ak**********@a giltech.gr> wrote: Well, that was a very informative set of links there, but still, what I need to do is ( or should ) be very simple.
I've already got my custom GenericPrincipa l subclasses, that get assigned roles from my application.
What I need to do now is this. Inside the code of some business objects, I want to be checking (demanding) a certain permission - NOT a PrincipalPermi ssion though. I don't want the class having to know the users/groups that can use it, and I don't want the class to have to read some external configuration file itself, to ask for the right PrincipalPermi ssion.
I want to learn how the system assigns permissions to users/groups in general, and whether I can customize that in some sort of declerative manner, just like I can do in Java using policy files.
Now, that shouldn't be too hard, and it should be available as .NET functionalit y. But where ???
Angel O:]
And why exactly would make such an assumption?
And why would you expect anyone in a dotNet usenet group to
know what a "Java Policy" file is? (Other platforms solve
security issues in different ways).
Anyway, I took a look at http://mindprod.com/jgloss/policyfile.html
And all the examples I saw were similar to Code Access
Security (CAS; concerns itself with the identity and origin
of the code, not the identity the user) not RBS.
"JDK 1.2+ file that controls what programs, weblets and
Applets are allowed to do."
Even sounds like CAS.
CAS is configured through the .NET Framework Configuration
Tool or CasPol.exe (and has got nothing to do with IIdentity
or IPrincipal).
NET Framework Developer's Guide: Code Access Security http://msdn.microsoft.com/library/de...sssecurity.asp
Chapter 8 – Code Access Security in Practice http://msdn.microsoft.com/library/de...l/thcmch08.asp
How To: Use Code Access Security Policy to Constrain an
Assembly http://msdn.microsoft.com/library/de...htcode_acc.asp
Perhaps the question would be "why would anyone in a .NET group ever want to
do anything out of the ordinary ?".
I'm sorry, that was nasty of me. But since there could be a case when you
might want to merge CAS with RBS, there must be a way to do that in a
declerative manner, and not have to program half a framework to do it :(
Angel
O:]
"Peer Reynders" <pe***********@ sympatico.ca> wrote in message
news:ck******** *************** *********@4ax.c om... "Angelos Karantzalis" <ak**********@a giltech.gr> wrote:
Well, that was a very informative set of links there, but still, what I
needto do is ( or should ) be very simple.
I've already got my custom GenericPrincipa l subclasses, that get assigned roles from my application.
What I need to do now is this. Inside the code of some business objects,
Iwant to be checking (demanding) a certain permission - NOT a PrincipalPermi ssion though. I don't want the class having to know the users/groups that can use it, and I don't want the class to have to read some external configuration file itself, to ask for the right PrincipalPermi ssion.
I want to learn how the system assigns permissions to users/groups in general, and whether I can customize that in some sort of declerative manner, just like I can do in Java using policy files.
Now, that shouldn't be too hard, and it should be available as .NET functionalit y. But where ???
Angel O:] And why exactly would make such an assumption?
And why would you expect anyone in a dotNet usenet group to know what a "Java Policy" file is? (Other platforms solve security issues in different ways).
Anyway, I took a look at http://mindprod.com/jgloss/policyfile.html
And all the examples I saw were similar to Code Access Security (CAS; concerns itself with the identity and origin of the code, not the identity the user) not RBS.
"JDK 1.2+ file that controls what programs, weblets and Applets are allowed to do."
Even sounds like CAS.
CAS is configured through the .NET Framework Configuration Tool or CasPol.exe (and has got nothing to do with IIdentity or IPrincipal).
NET Framework Developer's Guide: Code Access Security http://msdn.microsoft.com/library/de...us/cpguide/htm
l/cpconcodeaccess security.asp Chapter 8 - Code Access Security in Practice http://msdn.microsoft.com/library/de...us/dnnetsec/ht
ml/thcmch08.asp How To: Use Code Access Security Policy to Constrain an Assembly http://msdn.microsoft.com/library/de...us/dnnetsec/ht
ml/htcode_acc.asp
On second read of your post, I can see better where you're coming from...
Well, the definition you found was a bit "constraine d" ... you CAN assign
permissions to principals and not only codebases with Java Policy Files.
I'd think that CAS sound a bit like a small part of Java Authentication and
Authorisation (JAAS) :D
Consider the following:
You're building an application, which supports services in the form of
dynamically downloaded plugins. You can expect that more than one users will
be using the same installation. Some of those plugins though, need the user
has special authorization (role) to run, others don't. To complicate the
matter a bit further, you can execute the plugin under a "login domain" -
you have multiple login domains in the app, and each time you try to do
anything, you do it under a login domain, a "context" if you will ... , and
the plugins are shared between domains. But you need different roles to use
them under each domain ...
Now, I need a way to assign Code Access ( or Data Access, or whatever
Access ) permissions - at runtime - based on the roles of my user, under the
specific login domain she's currently using ( mind you .. login domains are
just a click on a drop-down list of domains for the user ! ). So ? There
simply MUST be a way to couple CAS and RBS, because it makes sence !!! I
can't believe that MS would leave something like that out of the framework,
when it's trying desperately to match - and possibly exceed - the Java
functionality.
... but most importantly ... sooner or later with the advent of C#, you can
expect to find much more Java people invading your "turf", bringing with
them a whole new mentality where specialization is actually ... BAD !!!
Volvos & SAABs are different cars in behavior, but you can drive them both,
and expect more-or-less the same basic "services" from both, don't you ?
Open your mind a bit ... ;]
Angel
O:]
"Peer Reynders" <pe***********@ sympatico.ca> wrote in message
news:ck******** *************** *********@4ax.c om... "Angelos Karantzalis" <ak**********@a giltech.gr> wrote:
Well, that was a very informative set of links there, but still, what I
needto do is ( or should ) be very simple.
I've already got my custom GenericPrincipa l subclasses, that get assigned roles from my application.
What I need to do now is this. Inside the code of some business objects,
Iwant to be checking (demanding) a certain permission - NOT a PrincipalPermi ssion though. I don't want the class having to know the users/groups that can use it, and I don't want the class to have to read some external configuration file itself, to ask for the right PrincipalPermi ssion.
I want to learn how the system assigns permissions to users/groups in general, and whether I can customize that in some sort of declerative manner, just like I can do in Java using policy files.
Now, that shouldn't be too hard, and it should be available as .NET functionalit y. But where ???
Angel O:] And why exactly would make such an assumption?
And why would you expect anyone in a dotNet usenet group to know what a "Java Policy" file is? (Other platforms solve security issues in different ways).
Anyway, I took a look at http://mindprod.com/jgloss/policyfile.html
And all the examples I saw were similar to Code Access Security (CAS; concerns itself with the identity and origin of the code, not the identity the user) not RBS.
"JDK 1.2+ file that controls what programs, weblets and Applets are allowed to do."
Even sounds like CAS.
CAS is configured through the .NET Framework Configuration Tool or CasPol.exe (and has got nothing to do with IIdentity or IPrincipal).
NET Framework Developer's Guide: Code Access Security http://msdn.microsoft.com/library/de...us/cpguide/htm
l/cpconcodeaccess security.asp Chapter 8 - Code Access Security in Practice http://msdn.microsoft.com/library/de...us/dnnetsec/ht
ml/thcmch08.asp How To: Use Code Access Security Policy to Constrain an Assembly http://msdn.microsoft.com/library/de...us/dnnetsec/ht
ml/htcode_acc.asp
"Angelos Karantzalis" <ak**********@a giltech.gr> wrote: On second read of your post, I can see better where you're coming from...
Well, the definition you found was a bit "constraine d" ... you CAN assign permissions to principals and not only codebases with Java Policy Files.
I'd think that CAS sound a bit like a small part of Java Authentication and Authorisatio n (JAAS) :D
Consider the following:
You're building an application, which supports services in the form of dynamically downloaded plugins. You can expect that more than one users will be using the same installation. Some of those plugins though, need the user has special authorization (role) to run, others don't. To complicate the matter a bit further, you can execute the plugin under a "login domain" - you have multiple login domains in the app, and each time you try to do anything, you do it under a login domain, a "context" if you will ... , and the plugins are shared between domains. But you need different roles to use them under each domain ...
Now, I need a way to assign Code Access ( or Data Access, or whatever Access ) permissions - at runtime - based on the roles of my user, under the specific login domain she's currently using ( mind you .. login domains are just a click on a drop-down list of domains for the user ! ). So ? There simply MUST be a way to couple CAS and RBS, because it makes sence !!! I can't believe that MS would leave something like that out of the framework, when it's trying desperately to match - and possibly exceed - the Java functionalit y.
.. but most importantly ... sooner or later with the advent of C#, you can expect to find much more Java people invading your "turf", bringing with them a whole new mentality where specialization is actually ... BAD !!! Volvos & SAABs are different cars in behavior, but you can drive them both, and expect more-or-less the same basic "services" from both, don't you ?
Open your mind a bit ... ;]
Angel O:]
Don't ask of others what you aren't willing to do yourself
.... ;]
I suspect that both SUN and Microsoft simply applied
different philosophies to the implementation of security.
Maybe SUN determined that the Java-VM had to be responsible
for ANY aspect of security, especially as they ultimately
have NO control over OS platform security.
Microsoft has FULL control over OS platform security and
they chose not to duplicate security features that were
already present in the OS (ignoring flavours of Win9x and
below).
Windows Security can protect most platform resources with
Access Control Lists (ACLs), so (at least for the time
being) .NET does not duplicate Windows Security.
CAS and RBS cannot grant the user privileges and access
rights he or she doesn't already have. If a .NET application
tries to do something the user isn't entitled to do by
virtue of the access granted to the user account and
memberships in Windows Groups, the OS lets .NET know and
..NET will propagate an exception to the applications
Application Domain.
If you want to prevent an exception, you have the option of
using WindowsPrincipa l.IsInRole to check whether the current
user belongs to a Windows group that you assume or know to
have access to the resource.
While privileges are associated with an account or windows
group, access rights are not - access rights are associated
with the resource being protected. Currently you need to use
ummanaged code to read and manipulate ACLs (that will
probably change in the future).
RBS is present to enable you to protect resources that your
application creates and cannot be protected by the OS
platform.
CAS is there to further refine the level of trust that you
have in code of a specific identity or origin.
The only way you can have an application do things the user
isn't allowed to do, is by actually running the application
in the security context of a more privileged account. That
practice however exposes you to a potential "Elevation of
Privilege" attack - this practice has been actively
discouraged since Microsoft's security pushes starting in
late 2001 as it violates the "Principle of Least Privilege".
In fact the internet has grown so "hostile" that the current
best practice is to run an application in a "least
privilege" context which impersonates the user only in
sections of code where the application needs gain privileges
that USER has.
Now if you are interested in Windows Security as it affects
..NET (rather than .NET Security) have a look at Keith
Brown's Book on-line.
"The .NET Developer's Guide to Windows Security" http://pluralsight.com/wiki/default....eBook.HomePage
when it's trying desperately to match - and possibly exceed - the Java functionalit y.
And again, you are making assumptions. They aren't.
There is no denying they snoozed when they underestimated
the impact that Java would have. Probably because most
people thought of Java as a langange, not a platform. So
when the door slammed on a SUN/Microsoft alliance, they had
to do something.
"Never engage an enemy on their own terms"
SUN et al had made significant progress so if they pitched
..NET against the Java-VM they could at best hope for a tie,
and that would be a faint hope.
So instead, they are using .NET as a catalyst to transform
their server-line to something that may be able to leave
Intel-based hardware platforms in the future, so in fact
..NET is a key component of Windows struggle against the
*nixes.
For the short term .NET focuses on distributed architectures
simply because the market for servers that "scale up" is
dominated by the *nixes. So Windows/.NET is going after the
"scale out" server market - which suits corporate mentality;
buy a few cheap servers this financial year, a few more the
next (the fact that this requires a team of highly skilled
(and expensive) administrators and developers to pull off is
material for yet another debate).
Expect to see some timebased server-licensing/maintenance
fee options that eliminate upfront cost of the Server OS and
are somewhat competitve to the then better understood
cost-of-ownership of Open Source OSs; this also fits the
corporate "financial year" mentality even though it will
increase the total cost of ownership over the products
lifetime (car-leases took off; why not this?).
Java and .NET will both stick around and developers will
have to live with it.
Windows and *nixes will also stick around and administrators
will have to live it.
Meanwhile the battle for marketshare rages on ...
... I'll just have to do it myself then :D This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Chris |
last post by:
I have seen the posts on various places on the internet about .NET
framework mismatch issues and I don't think that is my problem. ; )
When I execute the following C++.NET code:
String *ipAddress = S"";
IDictionary *server_config =
dynamic_cast<IDictionary*>(ConfigurationSettings::GetConfig("ServerAddress")
);
ipAddress = dynamic_cast<String*>(server_config->get_Item(S"IP"));
|
by: web1110 |
last post by:
Hi,
I set up my wifes machine to run .NET, some of my stuff runs but not all.
First example:
I have a windows program that displays environment info. It runs fine on my
machine. Whan I run it on my wifes' machine over the network it fails on
the statement:
|
by: Mark |
last post by:
Hello,
in a simple console application I try to create a file with some code like:
FileStream file = new FileStream("test.txt", FileMode.OpenOrCreate,
FileAccess.Write);
StreamWriter sw = new StreamWriter(file);
sw.Write("Hello");
sw.Close();
file.Close();
|
by: Diego F. |
last post by:
I think I'll never come across that error. It happens when running code from
a DLL that tries to write to disk. I added permissions in the project
folder, the wwwroot and in IIS to NETWORK_SERVICE and Everyone, with Full
Control to see if it's a permissions problem.
The project is hosted in a Windows 2003 Server and developed from PCs in a
domain, developing with Visual Studio 2005 Beta 1.
--
Regards,
|
by: Angelos Karantzalis |
last post by:
Is there a way to set Permissions based on user roles by using some
configuration file for my application ?
I'm coming from a Java background, where that could very easily be
accomplished but although I've searched around MSDN I can't find a clear
answer to this ...
Thanks a lot guys,
Angel
| |
by: Budhi Saputra Prasetya |
last post by:
Hi,
I managed to create a Windows Form Control and put it on my ASP .NET page. I
have done the suggestion that is provided by modifying the security settings.
From the stack trace, I would assume that the code throws exception when it
is trying to retrieve the processes list that has certain name. Below is the
code that I use to retrieve the processes.
Process processes = Process.GetProcessesByName("xxxx");
|
by: GMiller |
last post by:
I am fairly new to .NET programming so this may be a simplistic
question. I wrote a C# application that reads and writes files. If
the program resides on a local drive everything is fine. If the
program resides on a network drive then I get the following error.
System.Security.SecurityException: Request for the permission of type
'System.Security.Permissions.FileIOPermission, mscorlib,
Version=2.0.0.0, Culture=neutral,...
|
by: Mike |
last post by:
Hi
I have problem as folow:
Caught Exception: System.Configuration.ConfigurationErrorsException:
An error occurred loading a configuration file: Request for the
permission of type 'System.Security.Permissions.FileIOPermission,
mscorlib, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089' failed. (machine.config) --->
System.Security.SecurityException: Request for the permission of type
|
by: Henry Stock |
last post by:
I am trying to understand the following error:
Any thing you can tell me about this is appreciated.
Security Exception
Description: The application attempted to perform an operation not allowed
by the security policy. To grant this application the required permission
please contact your system administrator or change the application's trust
level in the configuration file.
Exception Details: for the permission of type
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
| |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |